Announcement

Collapse
No announcement yet.

Multiple attempts daily on same ports.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Multiple attempts daily on same ports.

    Hello,

    So every day, I am now receiving a decent number of emails (I'd say maybe around 50) showing that various IP addresses from all over the world are trying to connect to one of my VPSes.

    They're always the same.

    First they attempt to connect to TCP port 7001 3 times. Then, they attempt to connect to TCP port 2004 3 times. Finally, they try to attempt to connect to TCP port 8080 5 times before lfd blocks them.

    I've verified the ports are closed and nothing is listening on them by running netstat -tulpn

    However, what worries me a bit is this. I currently own three domains. All three run on the same physical virtual machine for now. But two of the domains have an entirely different IPv4 and IPv6 address then the first. Some of the attempts are on the first IPv4 address, some are on the second.

    I am not certain how they could have figured out the second address. I believe I have my DNS server setup in such a way where zone-walking is impossible.

    We have been attempting to use Skype for Business, where we need to modify our DNS records to point the Skype for Business application to the right servers. Same with Exchange. Need DNS records so our mail clients, like outlook (yuck) know how to access the exchange server.

    I've googled all the ports and I see, as usual, they can be used for multiple programs, but the one thing they all seem to share is a trojan or virus (whatever you want to call it) tends to use all three of those ports. I haven't researched to see if it's the same trojan / virus that uses them.

    Does anyone know of any legitimate programs or services that might be trying to connect to those ports? Anything come in mind as to what might be happening? It's been going on for about a week now.

    Thanks.
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

    #2
    Re: Multiple attempts daily on same ports.

    8080 is high port HTTP server.
    7001 is afs3 caching callback port and less often (and probably the target they are after) the default for the BEA webLogic HTTP server.
    2004 is used by some ancient mailer daemons.
    Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

    "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

    Excuse me while i do something dangerous


    You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

    Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

    Follow the white rabbit.

    Comment


      #3
      Re: Multiple attempts daily on same ports.

      Not worth the effort to sweat over them, as long as they don't do anything, don't worry about it. There are so many computers and blackhats out there that there's someone out there looking for an exploit. They also do sequential search on ipv4 to find machines, so that's how they find them.

      You can't do sequential search on ipv6 so it's probably not that; however if they find your ipv6 address somehow, it could be put in a database to try exploits on at a later time.

      Comment


        #4
        Re: Multiple attempts daily on same ports.

        Originally posted by goontron View Post
        8080 is high port HTTP server.
        7001 is afs3 caching callback port and less often (and probably the target they are after) the default for the BEA webLogic HTTP server.
        2004 is used by some ancient mailer daemons.
        I know 8080 can be used as a high port web server. But those ports are also used for malicious stuff. How could they have found out my other IPv4 address? They run on the same server, but totally different domain names and IP addresses and attacks are after both. 52 more since around 2:30am until now.
        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

        Comment


          #5
          Re: Multiple attempts daily on same ports.

          Originally posted by eccerr0r View Post
          Not worth the effort to sweat over them, as long as they don't do anything, don't worry about it. There are so many computers and blackhats out there that there's someone out there looking for an exploit. They also do sequential search on ipv4 to find machines, so that's how they find them.

          You can't do sequential search on ipv6 so it's probably not that; however if they find your ipv6 address somehow, it could be put in a database to try exploits on at a later time.
          I don't get it though. If they're being blocked and those ports are closed, why keep trying the exact same ports over and over again? Perhaps they got in and just hiding the ports... It'd possible.....
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment


            #6
            Re: Multiple attempts daily on same ports.

            Because the server/software might be there tomorrow.

            Hacking is a chance of opportunity.

            If you want to believe they got in and hiding, you must be running Windows or don't really know how to secure your machine.

            Comment


              #7
              Re: Multiple attempts daily on same ports.

              ^ He could be running the server on an old DDWRT router. There is malware that once it infiltrates them it locks them down so as not to compete with other malware forms....
              Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

              "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

              Excuse me while i do something dangerous


              You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

              Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

              Follow the white rabbit.

              Comment


                #8
                Re: Multiple attempts daily on same ports.

                It's only scary the first few times, after that, you ignore it or tell the server to stop logging it.....
                <--- Badcaps.net Founder

                Badcaps.net Services:

                Motherboard Repair Services

                ----------------------------------------------
                Badcaps.net Forum Members Folding Team
                http://folding.stanford.edu/
                Team : 49813
                Join in!!
                Team Stats

                Comment


                  #9
                  Re: Multiple attempts daily on same ports.

                  ^ I Just let fail2ban do everything.
                  Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

                  "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

                  Excuse me while i do something dangerous


                  You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

                  Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

                  Follow the white rabbit.

                  Comment


                    #10
                    Re: Multiple attempts daily on same ports.

                    Originally posted by eccerr0r View Post
                    Because the server/software might be there tomorrow.

                    Hacking is a chance of opportunity.

                    If you want to believe they got in and hiding, you must be running Windows or don't really know how to secure your machine.
                    I agree with the chance of opportunity, but each IP gets permanently banned. Why not use all those IPs to do a portscan or something and try seeing what I'm running? Why just blindly attack the same IPs time after time again.

                    And it doesn't mae since, the chance of opportunity. What, they just randomly guessed both the IPv4 addresses I have?

                    I know how to secure my machine and I wouldn't be running Windows on a server. If you think there's a way to make a server 100% hacker proof while running services to the outside world, you might want to rethink that. When you store customer's credit card info on your server (or accept credit card purchases), I believe you're required to become PCI compliant. And isn't it a requirement to have audit scans ran every so often by a third party company? Or at least some sort of audit being ran? New exploits come out every day. If you could make a server 100% hacker proof with just software, while providing services like Apache, allowing SSH connections to specific IP addresses, etc, I doubt they'd require those scans.

                    Let's think about this. Why does Apache get updated? Hmm. New features can be implemented...but also bug fixes. How many servers where exploitable to the symlink attack before it was discovered? Any server that accepted uploads that was running Linux. How would you protect your server against it if the exploit hadn't been discovered yet?

                    We can only patch exploitable software for the exploits we know about. We can run modsec, csf, lfd, rootkithunter, tripwire, etc. But that never guarantees someone doesn't get in.

                    Here, I will ignore them, but I can't stop them from trying. I still feel this deserves a little bit more research on the server just to confirm someone hasn't actually compromised it. I'd think it'd be stupid not to, seeing how it's still going on.

                    They're getting banned, and then they just reconnect with another IP from another country.
                    Last edited by Spork Schivago; 04-24-2018, 04:56 PM.
                    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                    Comment


                      #11
                      Re: Multiple attempts daily on same ports.

                      Originally posted by Topcat View Post
                      It's only scary the first few times, after that, you ignore it or tell the server to stop logging it.....
                      Yeah, normally I do that, I've just never had anyone attempt the same thing for such a long time. I receive emails from one (or a couple) of my security programs, and it's just odd that it's always the exact same ports, same number of times, and it's been going on for a few weeks. You'd figure they'd have ran out of IP addresses by now?

                      I was curious as to if maybe it was legitimate traffic that should have been coming through, but with the countries changing all the time, I doubt that very much.

                      Not sure how they got soooooo many different IP addresses. Each one gets banned after 11 attempts, and there must literally be 10,000 blocked IP addresses now in there.
                      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                      Comment


                        #12
                        Re: Multiple attempts daily on same ports.

                        Originally posted by goontron View Post
                        ^ I Just let fail2ban do everything.
                        fail2ban is okay, but you should really check out ConfigServer Firewall sometime along with modsec and perhaps something for IDS, like tripwire.
                        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                        Comment


                          #13
                          Re: Multiple attempts daily on same ports.

                          I received an email earlier in the day talking about the General Data Protection Regulation (GDPR) and how I need to be compliant.

                          Has anyone heard of this GDPR before? Is this just a Europe thing or is it for the US as well? If so, we're approaching the deadline awful fast like and we're not compliant yet. There's just too much for one IT person to do right now.

                          Not getting any sleep, just working. TopCat, you want to help out, I trust you, same with Diif and a few others! I'll give ya instructions on how to access my machines remotely if you want to help me setup everything!!!! :-P
                          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                          Comment


                            #14
                            Re: Multiple attempts daily on same ports.

                            Originally posted by Spork Schivago View Post
                            fail2ban is okay, but you should really check out ConfigServer Firewall sometime along with modsec and perhaps something for IDS, like tripwire.
                            I don't do any HTTP or anything enough to warrant anything more complex...
                            Things I've fixed: anything from semis to crappy Chinese $2 radios, and now an IoT Dildo....

                            "Dude, this is Wyoming, i hopped on and sent 'er. No fucking around." -- Me

                            Excuse me while i do something dangerous


                            You must have a sad, sad boring life if you hate on people harmlessly enjoying life with an animal costume.

                            Sometimes you need to break shit to fix it.... Thats why my lawnmower doesn't have a deadman switch or engine brake anymore

                            Follow the white rabbit.

                            Comment


                              #15
                              Re: Multiple attempts daily on same ports.

                              GDPR applies to personal data or behavioural information collected from an EU citizen if they reside in the EU at the time the data was collected.

                              Comment


                                #16
                                Re: Multiple attempts daily on same ports.

                                So if I collect personal data from a EU citizen that is residing in the EU, even though I'm in America and my server's are all in America, I need to be GDPR compliant?
                                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                Comment


                                  #17
                                  Re: Multiple attempts daily on same ports.

                                  Problem being, there are 4.2 billion ipv4 addresses and 65K ports. Going through each will take forever as you need to at least wait for some response before moving on.
                                  However if you know how to hack a specific service, why not just check for that specific service on all 4.2 billion ipv4 addresses. That way if you find a vulnerable computer, you can go ahead and attack it, instead of simply knowing what services they have and not know anything about how to exploit them. That's why port scanning is only done by people who know about a specific machine they want to target, versus a specific vulnerable application they want to target.

                                  And yes, to do business in another country, you need to comply with their laws; but for small fry they probably won't bother you. Companies like fsckbook are complying, so you need to, too.

                                  Comment


                                    #18
                                    Re: Multiple attempts daily on same ports.

                                    Originally posted by eccerr0r View Post

                                    And yes, to do business in another country, you need to comply with their laws; but for small fry they probably won't bother you. Companies like fsckbook are complying, so you need to, too.
                                    So we are required to IP-range-ban the EU, if we don't kiss an EU folk's ass???
                                    ASRock B550 PG Velocita

                                    Ryzen 9 "Vermeer" 5900X

                                    16 GB AData XPG Spectrix D41

                                    Sapphire Nitro+ Radeon RX 6750 XT

                                    eVGA Supernova G3 750W

                                    Western Digital Black SN850 1TB NVMe SSD

                                    Alienware AW3423DWF OLED




                                    "¡Me encanta "Me Encanta o Enlistarlo con Hilary Farr!" -Mí mismo

                                    "There's nothing more unattractive than a chick smoking a cigarette" -Topcat

                                    "Today's lesson in pissivity comes in the form of a ziplock baggie full of GPU extension brackets & hardware that for the last ~3 years have been on my bench, always in my way, getting moved around constantly....and yesterday I found myself in need of them....and the bastards are now nowhere to be found! Motherfracker!!" -Topcat

                                    "did I see a chair fly? I think I did! Time for popcorn!" -ratdude747

                                    Comment


                                      #19
                                      Re: Multiple attempts daily on same ports.

                                      Originally posted by eccerr0r View Post
                                      Problem being, there are 4.2 billion ipv4 addresses and 65K ports. Going through each will take forever as you need to at least wait for some response before moving on.
                                      However if you know how to hack a specific service, why not just check for that specific service on all 4.2 billion ipv4 addresses. That way if you find a vulnerable computer, you can go ahead and attack it, instead of simply knowing what services they have and not know anything about how to exploit them. That's why port scanning is only done by people who know about a specific machine they want to target, versus a specific vulnerable application they want to target.

                                      And yes, to do business in another country, you need to comply with their laws; but for small fry they probably won't bother you. Companies like fsckbook are complying, so you need to, too.
                                      That makes since, and I know there a programs that can scan the entire IPv4 class A range rather quick like. But to be targeting both of my IPs that are not related, they'd either be targeting a lot of people, including probably badcaps, or something is wrong somewheres.

                                      People shouldn't be able to zone walk the way I have DNS server setup, they shouldn't be able to find the second IP address from the first site or vice-versa....makes me wonder if it's the same person who recently unsuccessfully hacked into my Facebook account, my email, and a few other things.

                                      I don't use Facebook, and haven't used it in over a year. So I surprised when I seen an email saying my account was reactivated. So someone got my old password. We change our passwords, but because I deactivated the account over a year ago, I figured it would have been deleted. It wasn't. Facebook didn't recognize the IP address and required them to prove it was me by showing the people's faces and saying which one of these pictures is blah! Or this picture is who: blah 1, blah 2, blah 3, or blah 4.

                                      They failed that. Then they requested a password reset and got into my freaking yahoo mail! But again, the security tripped them up. It has to be someone I know locally. And there's not too many of them. But one out of the two people I suspect think they're hackers. They're what I call script kiddies. They where working with me for a bit, so when they needed access to the workstation locally, I used that old facebook password, so they wouldn't know my current one.

                                      They're the only two people, besides professional companies, that know the actual domain names of all three domains I currently own. And the fact that all three are being attacked, makes me think it's one of them. But to have as many IPs as they have, I don't think they're that good. You'd essentially need a bot net I figure or maybe some sort of proxy. The one kid says he's untraceable because he's behind a VPN.

                                      I both gave them the boot. One, his girl was stealing from me, and he, himself, when he did show, was always high on something. So he went real quick like. The other one just never showed, minus maybe twice I think. And literally knew nothing about PCs. But they both knew each other and always wanted to try and hack my neighbors wifi. I'm like wtf are you guys doing? Don't do that shit here...

                                      Anyway, with Facebook, I downloaded all the data they had collected on me over the years, and grabbed the IP address. It was from Adams cable, which is in Addison, about 20 minutes from here.. I think it's just too many coincidences.

                                      The one who was always high was still in communications with me, until I told him about the facebook thing and how I reported it to the FBI (which I did). Haven't heard from him since.
                                      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                      Comment


                                        #20
                                        Re: Multiple attempts daily on same ports.

                                        Originally posted by RJARRRPCGP View Post
                                        So we are required to IP-range-ban the EU, if we don't kiss an EU folk's ass???
                                        That's why so many of those foreign websites I cannot go to!!!!! Everyone's banning the US!
                                        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                        Comment

                                        Working...
                                        X